cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
10
Helpful
13
Replies

Cisco ASA5506x and Cisco Switch 3750PoE vlan connection?

m-abooali
Level 4
Level 4

Hello good folks,

 

I have not dealt with this type of Firewalls before and my Firewalling is rusty kind of. I have an small office and am installing:

 

1- Cisco ASA5506x

2- Cisco L3 Switch 3750 PoE

3- An Access point ( currently in use)

 

we have a 100 MB ETernet to the Internet.

 

It seems that there is no way that I can fifure out to connect a trunck from switch to the ASA? I am trying to put FW at te edge facing the provider and Cisco 3750 behind the ASA FW and connect the access pont traffic to the switch using an access-point VALAN (accesspoint)

 

is my thinking of a trunk between switch and ASA wrong? is teh ASA capable receiving a trunk?

 

Please advise,

 

Best REgards,

 

Masood

 

 

2 Accepted Solutions

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Using a ASA 5505-X a trunk interface is acheived with a subinterface. If your trunk link from the 3750 was carrying VLANs 10,20,30 and connected to gi0/1 on the ASA you'd have this config:

!
interface gigabitethernet 0/1.10
  vlan 10
nameif vlan10 ip address 10.10.10.254 255.255.255.0 ! interface gigabitethernet 0/1.20 vlan 20
nameif vlan20 ip address 10.10.20.254 255.255.255.0 ! interface gigabitethernet 0/1.30 vlan 30
nameif vlan30 ip address 10.10.30.254 255.255.255.0 !

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-vlan.html

 

cheers,

Seb.

View solution in original post

Yes, you can create a L3 link between the ASA and 3750. However unless you have an IPServices license for the 3750 you will not be able to run a dynamic IGP (EIGRP/ OSPF) between the devices. This means you will have to configure static routes. Great for the short term, but may not scale very well in the future.

 

cheers,

Seb.

View solution in original post

13 Replies 13

m-abooali
Level 4
Level 4
I am replying to myself.

this is how I have tried to connect switch and my vlans to the ASA5506x
This is only example and IPs are not real:

interface Ethernet0/0
no shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/0.48
vlan 48
nameif vlan48
security-level 100
ip address 192.168.48.1 255.255.255.192
!
interface Ethernet0/0.101
vlan 101
nameif vlan101
security-level 100
ip address 192.168.48.66 255.255.255.224

this should have worked based my my knowledge!?

Please advise,

Best Regards,

Masood

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Using a ASA 5505-X a trunk interface is acheived with a subinterface. If your trunk link from the 3750 was carrying VLANs 10,20,30 and connected to gi0/1 on the ASA you'd have this config:

!
interface gigabitethernet 0/1.10
  vlan 10
nameif vlan10 ip address 10.10.10.254 255.255.255.0 ! interface gigabitethernet 0/1.20 vlan 20
nameif vlan20 ip address 10.10.20.254 255.255.255.0 ! interface gigabitethernet 0/1.30 vlan 30
nameif vlan30 ip address 10.10.30.254 255.255.255.0 !

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-vlan.html

 

cheers,

Seb.

Thank you.

I have done that but still having problems. May be cable needs to be cross one?

Best Regards,

Masood

On the ASA, what is the output of:

sh arp

 

On the 3750:

sh mac add dyn

sh spanning-tree vlan 48

sh spanning-tree vlan 101

Thanks,

I will get those cmds output and will post them.

Best Regards,

Masood

Thank you,

 

I was going through the document you provied a link for and I see the following: what secondary means in this case? I remember back in the days we used to use " secondary" under a router's sub-interface but does it means the same here?

 

I have only three vlans:

 

access-point vlan

guest vlan

managmet and normal users vlan.

 

Best Regards,

 

Masood

 

 

no vlan 200 secondary 503
show running-config interface gigabitethernet0/6.200
!
interface GigabitEthernet0/6.200
 vlan 200 secondary 500 600-700
 no nameif
 no security-level
 no ip address

 

I admit I also didn't know the meaning of secondary key word for vlans on ASA.
Here's what I found on the config guide

Specify the VLAN for the subinterface:
vlan vlan_id [secondary vlan_range]

Example:

ciscoasa(config-subif)# vlan 101 secondary 52 64,66-74

The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.

The secondary VLANs can be separated by spaces, commas, and dashes (for a contiguous range). When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

You cannot assign the same VLAN to multiple subinterfaces. You cannot assign a VLAN to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID. To remove some secondary VLANs from the list, you can use the no command and only list the VLANs to remove. You can only selectively remove listed VLANs; you cannot remove a single VLAN in a range, for example.

Hi,



I think, its like we could attach a secondary gateway P address to a router Interface, these secondary VLANS are VLANS other than VLAN 101 that are allowed to pass through this interface.



Regards,



Masood


Thank you. I am sorry for the delay as project was halted for a time. it has started now. question, can I just connect using IPs at both side - only L3 connections instead of trunks and sub-ints?

Regards,

Masood

Yes, you can create a L3 link between the ASA and 3750. However unless you have an IPServices license for the 3750 you will not be able to run a dynamic IGP (EIGRP/ OSPF) between the devices. This means you will have to configure static routes. Great for the short term, but may not scale very well in the future.

 

cheers,

Seb.

Thank you Seb. I have a new discussion as i got stuck connecting a linksysE4500 wireless router to my Cisco 3750 PoE switch. Protocole or rbeidge issues i am assuming. Thanks for the response. Yes, EIGRP makes it much easier.

bninfosec
Level 1
Level 1

Hi, I"m curious what was the last solution you got in this scenario? I meant connecting the 5506x to the 3750PoE. Do you mind to share config  (of course not real IP and credential)? Thanks much

Hi,

Altho the 3750 is installed and operational but the ASA 5506x has not yet been installed. I am working on the details as none info has been available to me.

Will respond when its done. Thanks for writing to me on this.

Regards,

Masood
Review Cisco Networking for a $25 gift card